McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• MINE.EXE

• PWSteal.Trojan (NAV)

• Troj/Mine (Sophos)

• TROJ_APS.216576 (Trend)

• Trojan.AOL.Cool (AVP)

• Trojan.PS.AOL.21657 (Panda)

• Uninstallms.exe

• W95/Trojan.Cool (F-Prot)

Characteristics

This is a password stealer and Internet worm written in Visual Basic 5 designed to attack America Online software installations to determine the password of user accounts. This trojan will send the account detail to the author of the trojan. In addition, if the victim is logged onto AOL v4.0, it will send itself to AOL screen names listed in your buddylist who are currently logged onto AOL!

This file could have been received by email as an attachment named "mine.zip" (with a size of 77,855 bytes) and with a subject line of "hey you". The message body suggests that the attachment is actually scanned pictures:

--- copy of email forwarded to AOL members ---
hey i finally got my pics scanned..theres like 5 or 6 of them..so just download it and unzip it..and for you people who dont know how to then scroll down..tell me what you think of my pics ok?

if you dont know how to unzip then follow these steps

When you sign off, AOL will automatically unzip the file, unless you have turned this feature off in your download preferences.

If you want to do it manually then On the My Files menu on the AOL toolbar, click Download Manager. In the Download Manager window, click Show Files Downloaded. Select my file and click Decompress

Symptoms

Existence of files mentioned above, slowness of the system, attempts to start REGEDIT are diverted, WIN.INI is marked READ-ONLY.

Method of Infection

Running the trojan either intentionally or accidentally will install using the methods mentioned above.

Removal

1. Restart your computer. This worm will block you from using the shut down command, so turn off your computer, and turn it back on again. When you see the message "Starting Windows 95..." Press F8, then choose "Safe mode command prompt only". Or boot from your bootable emergency floppy.

2. At the DOS prompt, type the following commands, pressing enter after each one:

C:
ATTRIB -H MSDOS98.EXE
DEL MSDOS98.EXE
CD WINDOWS
ATTRIB -R WIN.INI
ATTRIB -H UNINST~1.EXE
DEL UNINST~1.EXE
CD SYSTEM
ATTRIB -H MINE.EXE
DEL MINE.EXE

4. Click Start, then Run, then type c:\windows\win.ini(substitute your Windows folder if different) in the text box, then click OK. At the line starting with run=, delete everything after the run=. Close Notepad.

5. Click Start, then Run, then type regedit in the text box, then click OK. Click HKLM, then Software, then Microsoft, then Windows, then CurrentVersion, then Run. Highlight the part that says "Windows" "c:\msdos98.exe" and press delete. Answer yes when it asks are you sure. Close regedit.

Variants

Variants

• APStrojan.gen18b
• APStrojan.gen18c

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• MINE.EXE

• PWSteal.Trojan (NAV)

• Troj/Mine (Sophos)

• TROJ_APS.216576 (Trend)

• Trojan.AOL.Cool (AVP)

• Trojan.PS.AOL.21657 (Panda)

• Uninstallms.exe

• W95/Trojan.Cool (F-Prot)

Characteristics

Characteristics -

This is a password stealer and Internet worm written in Visual Basic 5 designed to attack America Online software installations to determine the password of user accounts. This trojan will send the account detail to the author of the trojan. In addition, if the victim is logged onto AOL v4.0, it will send itself to AOL screen names listed in your buddylist who are currently logged onto AOL!

This file could have been received by email as an attachment named "mine.zip" (with a size of 77,855 bytes) and with a subject line of "hey you". The message body suggests that the attachment is actually scanned pictures:

--- copy of email forwarded to AOL members ---
hey i finally got my pics scanned..theres like 5 or 6 of them..so just download it and unzip it..and for you people who dont know how to then scroll down..tell me what you think of my pics ok?

if you dont know how to unzip then follow these steps

When you sign off, AOL will automatically unzip the file, unless you have turned this feature off in your download preferences.

If you want to do it manually then On the My Files menu on the AOL toolbar, click Download Manager. In the Download Manager window, click Show Files Downloaded. Select my file and click Decompress

Symptoms

Symptoms -

Existence of files mentioned above, slowness of the system, attempts to start REGEDIT are diverted, WIN.INI is marked READ-ONLY.

Method of Infection

Method of Infection -

Running the trojan either intentionally or accidentally will install using the methods mentioned above.

Removal -

Removal -

1. Restart your computer. This worm will block you from using the shut down command, so turn off your computer, and turn it back on again. When you see the message "Starting Windows 95..." Press F8, then choose "Safe mode command prompt only". Or boot from your bootable emergency floppy.

2. At the DOS prompt, type the following commands, pressing enter after each one:

C:
ATTRIB -H MSDOS98.EXE
DEL MSDOS98.EXE
CD WINDOWS
ATTRIB -R WIN.INI
ATTRIB -H UNINST~1.EXE
DEL UNINST~1.EXE
CD SYSTEM
ATTRIB -H MINE.EXE
DEL MINE.EXE

4. Click Start, then Run, then type c:\windows\win.ini(substitute your Windows folder if different) in the text box, then click OK. At the line starting with run=, delete everything after the run=. Close Notepad.

5. Click Start, then Run, then type regedit in the text box, then click OK. Click HKLM, then Software, then Microsoft, then Windows, then CurrentVersion, then Run. Highlight the part that says "Windows" "c:\msdos98.exe" and press delete. Answer yes when it asks are you sure. Close regedit.

Variants

Variants -

• APStrojan.gen18b
• APStrojan.gen18c